Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-06 21:24:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

docs: update tasktracking with CF-Connecting-IP trust

Browse source
This commit is contained in:
root 2026-04-25 11:45:22 +08:00
parent e035fb07a9
commit e29584258b
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
docs/Tasktracking/2026-04-25-fix-login-ratelimit-and-ip-spoofing.md
View file

@ -15,4 +15,6 @@
- `web/middleware/ratelimit.go` — use RemoteAddr in rate limiter
## Note
If the panel runs behind a reverse proxy, `RemoteAddr` will show the proxy IP. To restore header-based IP detection, configure `engine.SetTrustedProxies()` in `web/web.go` with the proxy's IP.
- Trusts Cloudflare's `CF-Connecting-IP` header (CF overwrites it, clients cannot spoof)
- Falls back to `RemoteAddr` for direct connections without CDN
- `X-Real-IP` / `X-Forwarded-For` are NOT trusted (can be spoofed by clients)